The more gold, items, achievements and general progression you gain for your characters in your World of Warcraft account, the higher you will value it. There is also another value that increase - the value it has on the blackmarket whether it's the entire account or just the gold within it. Account hackers, phishers and scammers get more advanced and innovative each day and in turn we need to ensure that we have maximum security for our accounts.
My name is Sinshroud I'm going to share with you some of the best security practices to keep your account safe! I have been playing World of Warcraft non-stop since Pre-BC, I have 2 accounts on US and 2 accounts on EU servers. I have over 1.5 million gold that I guard very closely. I've never been hacked. EVER. I don't even have an authenticator (although I do recommend it).
Before we get started, the most basic form of protection for your account will be a proper password. There are various ways that your password can be obtained and account compromised. Some of the attacks are hit and miss random attacks sent to thousands of people, while others are more sinister and targeted attacks to your account specifically.
- Guesswork / Common Sense Password Attacks - entering words or phrases that are directly related to you, or trying common password variations such as "sinshroudpassword", "ericwowpassword" or "password1234".
- Bruteforce Password Attacks - this is when a computer runs an algorithm that tries every single possible number, letter or character combination until one works such as "000", "001", "002" ... "009", "010", "011", "012" ... "019", "020", "021", "022" ... etc, or plain guesswork (such as entering your main character name or your real life credentials in various forms for simply commonly used ones such as "sinshroudpassword" or "ericwowpassword" or "password1234", etc).
- Phishing Attacks - account thieves impersonate someone such as Blizzard and ask you to login on a fake site, which them gives them access to your account or installs a keylogger/virus on your computer. I will show you how to identify such attacks later on in this guide.
- Keylogging or Virus Attacks - spyware, trojans, viruses and other malicious programs can install keyloggers on your computer which record your key strokes and capture your username and passwords. Very dangerous because if they have access to your WoW account like this, there is a good chance they have access to your Facebook/Twitter/MySpace/Email/Work accounts for Identity Theft as well as your Banking Details. I will show you how to use a program such as KeePass to avoid needing to type in usernames and passwords ever again, making keyloggers ineffective against you.
You can easily guard against both Guesswork / Common Sense Password Attacks and Bruteforce Password Attacks by having a password that follows good password practices and standards. Microsoft has a good example of How To Create Strong Passwords that the average computer user can apply and make use of without too much inconvenience of needing to remember a 64 character hexadecimal password.
- Always use a password that is eight characters or longer - the longer they are the longer a bruteforce attack will take to crack it.
- Never use the same password for everything - if one of your passwords gets compromised you want to limit it to only that account. I will show you how to use KeePass to store and manage all of your different passwords.
- Change your passwords often - this is something people always either forget to do, or purposely put off out of inconvenience. Just do it every couple of months.
- Use a variety of characters in your passwords - letters, numbers, symbols, words, phrases.
- Never include personal data in your passwords - don't include anything related to you such as your name, wife's name, school name, date of birth, ID/social security number, etc. Always keep it random and unrelated.
You can use a site such as this to get a general idea of your Password Strength.
For absolute maximum account security, as advised for WHM/cPanel/FTP/admin accounts or simply really paranoid individuals you can use a Random Password Generator to generate a decent but impossible to remember password. You could try combining a few of these randomly generated characters with the password created through Microsoft's method.
Phishing is one of the most commonly used methods to steal WoW accounts. If you have been playing World of Warcraft for a significant length of time, chances are you have seen every phishing attempt in the book sent to you.
The absolutely best thing to do is to create a new email account with a trusted email host such as Google's Gmail.
- Create the account using a username (also known as a "local-part") that is easy to remember, descriptive and unique. I usually include the word "wow" so that I can identify the account. E.G. "firstname.lastname@example.org".
- Create the account using a password that is NOT THE SAME AS ANY OTHER PASSWORD OF YOURS. If you struggle to remember your passwords I will give you a few tips on this later on in this guide.
- Change your Battle.net World of Warcraft login account username to this new email address that you have created.
- Most importantly, NEVER use this email address for anything else. Not for MMO-Champion, not for The Consortium Forums, not for Elitist Jerks, not for Facebook, not for University of Work and definitely not for Buyquickgoldherewedontscamyou Gold Selling Sites.
What you have effectively achieved with this is made it impossible for you to receive phishing or spam email. The ONLY email you should ever get in this Email Account is from the real Blizzard Entertainment or from your Email Provider. If you ever receive email from somewhere else then you know you have been compromised. You might have a keylogger or virus on your computer that has provided spammers with your email address.
Even if you follow my advice above, I highly recommend ALWAYS checking every email you ever receive for phishing attempts.
Blizzard will ALWAYS greet you by your real name (or whatever name you made the account under). They will never just say "Hello" or "Dear Player", it will ALWAYS be "Dear Eric" or "Hello Eric" or just "Eric", etc. Account phishing is almost never a targeted attack, they won't be singling you out to attack, so scammers won't know any details about you.
Blizzard will NEVER send you an email notifying you that they are "aware you are trying to sell/trade your personal World of Warcraft account" or anything similar. If there is a problem or suspected breech in their Terms of Service / End User License Agreement by you, they will simply lock, suspend or ban your account. If you receive an email about account disciplinary actions simply try login in-game or visit Battle.net by manually typing it into your web browser.
Scammers and Phishers will try get you to follow a link to a fake website. They are impersonating the Blizzard website and when you login on that site they then have your login details. So ALWAYS check your links in the email. An easy way to do this is to hover over the link and look at your "Status bar" in your email client or web browser usually found in the bottom left corner of the screen and if it shows a different email address or an email address that isn't Blizzard's then it's a scam.
As you can see when hovering over the email address "https://www.battle.net/account/support/password-verify.html" the scammers make use of Hyperlinking which allows a user to click on a text based link (which has been made to look like a URL). For example www.facebook.com will actually take you to Twitter because I hyperlinked it. The link they show you in the email wants to actually take you to a different place. Also note that they make the fake link look like it ends in "battle.net" but it actually ends in "-account.com".
- Blizzard Entertainment will never ask you for your password (except at login screen harhar).
- Phishing emails make urgent / high priority appeals to you about your account being under investigation. Real Blizzard will just notify you and move on.
- Phishing emails that offer you stuff are usually too good to be true. If there is a giveaway or competition you will see it on the World of Warcraft homepage or announced on MMO-Champion and similar sites.
- Check for spelling, typos and syntax errors, Blizzard very rarely make typos because they use a lot of macros and copy/paste answers and are also highly trained.
- Here is an article for ensuring that your web browser's Phishing Filter is enabled.
Here is Blizzard's guide at identifying Phishing Emails:
Blizzard have an excellent analysis of real versus fake comparisons for both In-game Mail and In-game Whispers.
With this step we are taking preparation for if you ever want to login to your World of Warcraft Battle.net Account online from someone else's computer. A scenario could be that you are out at a friend and a guildy calls you to tell you that someone else is on your account who shouldn't be. You can quickly log onto your friend's computer to change your password - but how secure is their computer? You take one look at their browser and it looks like THIS - yikes!
You should always be prepared and these days you can fit half your life on a flash drive attached to your keychain. Make sure a portable CLEAN web browser such as Firefox Portable Edition is one of them.
Download the Portable KeePaas Professional Edition ZIP Package found on the right, reason for the portable version is that it does not require installation and you can put it on a flash drive. Same reason as above, you can login from elsewhere but how secure is that computer?
KeePass is actually very useful to managing all of your passwords (you should never use the same password for everything anyways). It stores all your passwords and can also auto-fill username/password fields in web browsers or allow you to copy and paste into in-game logins such as World of Warcraft.
- Extract the downloaded file onto a Flash Drive that you carry around everywhere on a keychain or something if possible.
- Run KeePass.exe Application and click File > New.
- Create the Password Database on the same Flash Drive (if you not using a flash drive, put it in your C drive, you may need to close the program and run it as administrator to do this depending on your OS security settings) - you can name it something like "KeePass Database" or whatever you want.
- Enter a Master Password and click OK. You could have 20 different passwords but this is the ONLY one that you ever need to remember. It gives you access to all your other passwords. You can also use Key File / Provider or Windows User Account security (you can use all three), but for this guide I will only be using Master Password. Follow good password creation practices.
- Enter a Database Name. Call it KeePass Database or whatever you wish.
You will not be taken back to the program and see 2 Sample Passwords already made which you can delete.
- Right click in the main window that has Title, User Name, Password and URL Columns in it and choose Add Entry.
- Enter a title to describe what the login details are for.
- Enter your username and password.
- If it's for a website then enter the URL for that website too.
- Add any notes that you want and click OK (perhaps a link to this guide for future reference? :P).
You will now see your saved Entry in the main window. Now all you need to do is:
Right click the entry and choose URL(s) > Open, or just hit CTRL + U while you have the entry selected and it will open the website, in this case the World of Warcraft Battle.net website.
Once you have the website open, right click the entry again and choose Perform Auto-Type, or just hit CTRL + V while you have the entry selected and it will automatically fill and submit your details. NOTE: Some sites such as the Battle.net site will require you to open the Login Dialog Box first (KeepPass is smart though and sometimes it automatically finds those login boxes and will open it for you but you will need to click Perform Auto-Fill a second time to fill it in).
CTRL + B while you have the entry selected will copy the Username, while CTRL + C will copy the password - so you can just copy and paste into your World of Warcraft in-game login screen too.
Using KeePass will allow you to practice proper password security by having a variety of passwords for different websites and logins and also protect you from keyloggers when logging into websites and games.
- Some keyloggers have the ability to check your clipboard/copy and paste data which can to an extent render KeePass useless but keep in mind that isn't the only security that KeePass is providing.
- KeePass promotes proper security practices by using a variety of unique login details for various websites or accounts.
- If your email login details, wow login details, computer login details, facebook login details and any other site or account login details are all unique and different from each other, you immediately reduce the chance of account compromise drastically.
- Instead of a hacker only needing to somehow obtain 1 of your many identical passwords (through identity theft, impersonation , guessing, bruteforce, etc) to gain access to all of your accounts, they are now limited to that specific account only. If they compromise your facebook account then they only have access to that account instead of access to everything else too.
- Remember KeePass offers up to 3 different combinations of security access to your password vault, Password authentication, Key File authentication and Windows User Account authentication - meaning even if they obtain your master password they still won't have access without the other 2.
World of Warcraft is a game with an enormous amount of customization available in terms of addons and UI packages. We as gold makers make particularly good use of these resources to enhance our game play and get an edge over our competitors. I use Curse for all my Addon Download needs, and very occasionally WoWInterface. I've never had any problems with either of them account compromise through addons is VERY rare and usually found and reported immediately.
You can view my thread on How To Install An Addon if you are new to using them.
The only real tips I can give you for account security via addons is always download only from a trusted source such as Curse, never download, install or run executable addon files, never pay money for addons (it's against Blizzard's ToS/EULA anyways) and always only use addons that you have downloaded yourself.
I would highly recommend storing your addons on your Flash Drive too, or perhaps even using DropBox to store your addons so that you can access them any time from another computer. Come to think of it you could use DropBox to store KeePass databases and the program itself too. Here is a nice guide for using DropBox, otherwise just follow the tutorials on their site which are adequate too.
- Don't open ANY attachments in emails (unless it's work related and you're 100% sure it's safe). Tell the person to send it over MSN or something, but an email address can always be faked.
- Don't click any odd and/or unknown links sent per whisper, in trade, IRC, forums, or what ever. Don't know the person; don't trust the person.
- You aren't banned (or being investigated) unless you get the "your account has been suspended" when trying to login. Don't trust any emails saying otherwise.
- You aren't invited for
Alpha/BETAbefore the testing start has been announced on either MMO-Champion or another Blizzard fan site.
- Use an up-to-date browser. I would recommend Firefox with AdBlockPlus (ads can be used to infiltrate usually safe websites, as happened with World of Raids a long time ago).
- Update Windows and do a virus scan once every 5 weeks or so (more often is of course preferred).
- Don't share your login information with anyone. A very common tip, but people still do it to get around the queue or something like that. My advice: just don't do it. To skip the queue you could use TeamViewer or LogMeIn yourself.
- Don't buy power leveling services. Again: don't share your account information.
- Don't buy gold, or rent your account to gold farmers. Same as above.
- Don't install bots or other cheating applications. Keyloggers can be in anything.
- Use your common sense - train yourself to detect bad links and emails so not opening them becomes a nobrainer.
I don't know how many times we need to say this, but NEVER EVER SHARE YOUR ACCOUNT DETAILS. I don't care if it's your real life friend of 20 years, your uncle or your wife. People often scoff and say that that person will never do anything, but you know what? If they are going to be logging in on a computer that isn't yours, and they haven't followed this guide here accurately then your chance of account compromise has just been raised a huge amount. Key loggers, phishing attempts, viruses, malicious addons and malicious websites that someone else's computer may have been exposed to puts your account at risk.
Lastly but certainly not least, the World of Warcraft Authenticator! A vital component to your maximum account security system. You can buy them from Blizzard, you can buy them from eBay, you can buy the mobile version on your iPhone and similar, and there are a few computer emulator ones floating around the net too.
To finish off we will look at some of the procedures to regain control of your account and recover any lost items, gold and characters in case your account does indeed get compromised or you with to assist a friend who has suffered such fate.
Blizzard have created an excellent series of Customer Support Videos on Youtube including a What to do after being hacked help video.
The Chapters that it covers are:
- Chapter 1 - Better Safe Than Sorry
- Chapter 2 - Secure Your Computer
- Chapter 3 - Secure Your Personal Accounts
- Chapter 4 - Recovery: Known Account Details
- Chapter 5 - Recovery: Unknown Account Details
- Chapter 6 - After Reporting The Compromise
A wealth of information and links about Anti-Viruses, Account Security, How to Request In-Game Support, Contact Billing and Account Services and other Support Articles for both US and EU players can be found in the video information.
Contributors: Zero and Blizzard Entertainment's Types of Account Thefts Security Page.